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Introduction 


Traditional network architecture was built with the concept of a perimeter network 
where once someone was on the network, there was an implicit level of trust. 

The shift toward cloud hosting, remote work and other modernization has created 
challenges with a traditional perimeter network architecture. 


These challenges can be addressed by implementing a Zero Trust Architecture, which 
ensures that all traffic in and out of a business is verified and authorized. Implementing 
a Zero Trust Architecture can be done in steps without disrupting employee productivity 
and connectivity. 


This guide was built by security experts to provide a vendor agnostic Zero Trust 
architecture and example implementation timeline. The timeline assumes that an 
organization is beginning their Zero Trust journey from scratch, but is meant to be 
useful for all organizations. 


There are seven major components to organizational security that need to be 
considered when it comes to implementing a comprehensive Zero Trust Architecture. 
Your implementation order does not need to match how they are listed in the 
component and reference architecture sections below. 
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Components of a Zero Trust 


Architecture 


Phase 1 


Phase 2 


Phase 4 


Level 
Component Goal of Effort Page 
® Internet traffic Deploy global DNS filtering | 9 
Applications Monitor inbound emails and filter out phishing attempts | 13 
[= DLP &logs Identify misconfig and publicly shared data in SaaS tools | 20 
a Users Establish corporate identity | D 
A Users Enforce basic MFA for all applications | 6 
Applications Enforce HTTPS and DNSsec | dy 
@ Internet traffic Block or isolate threats behind SSL | | 9-10 
Applications ZT policy enforcement for publicly addressable apps | 14-16 
Applications Protect applications from layer 7 attacks | 16 
be Networks Close all inbound ports open to the Internet for app delivery | 12 
Applications Inventory all corporate applications HE 13-14 
Applications ZT policy enforcement for SaaS applications | 14-16 
® Networks Segment user network access il alti) 
Applications ZTNA for critical privately addressable applications | 14-16 
Cl Devices Implement MDM/UEM to control corporate devices il Z 
E DLP & logs Define what data is sensitive and where it exists ill 18-19 
A Users Send out hardware based authentication tokens | | 6 
E DLP & logs Stay up to date on known threat actors | 21 
A Users Enforce hardware token based MFA im | 6 
Applications ZT policy enforcement and network access for all applications ill 14-16 
D DLP & logs Establish a SOC for log review, policy updates and mitigation ill 20 
Cl Devices Implement endpoint protection | Z 
Cl Devices Inventory all corporate devices, APIs and services | 8 
g Networks Use broadband Internet for branch to branch connectivity il 11-12 
B DLP & logs Log and review employee activity on sensitive apps ill 18 
[= DLP & logs Stop sensitive data from leaving your applications nal 19 
© Steady state DevOps approach for policy enforcement of new resources | 22 
© Steady state Implement auto-scaling for on-ramp resources ill 22°25 


Here is how we define different levels of effort required for each step: 


e Il- Small effort; this can be done by an individual or small team 
© Il- Medium effort; this will require a team and advanced preparation 
- IHl- Large effort; this will require multiple teams and a project plan 
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The Roadmap to Zero Trust 


& Users 


Users include employees, contractors and customers. To implement Zero Trust, an organization 


must first have an accurate picture of who should actually be trusted, and with what — otherwise 
known as Identity. Then it must establish a way to securely authenticate the identity of its users. 


Establish a corporate Identity 


Level of effort 


Il - Medium effort 


Team(s) involved 


The team responsible for your identity provider 
(typically security or IT) 


The admins who manage internal apps used by employees 
and partners 


Product(s) Microsoft Azure AD, Okta, Ping Identity PingOne, OneLogin 

A unified corporate identity is required to accurately authenticate 

and authorize user access to corporate applications. A consistent 

corporate Identity will make granular policy enforcement for your 

applications more seamless. 

Summary Additional points to consider: 

e Is your company active in M&A? How will you consolidate 
identity stores? 

e Do you have any non-web based authentication protocols in use 
(e.g. active directory, ntml, Kerberos) 

1. Add all corporate users to the identity provider 
a. These values can often be synchronized from an 

Stens HR system like Workday, ADP, etc 
P 2. Verify that each user’s information is correct 
3. Send new users registration information to set up login 


credentials 
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Enforce multi-factor authentication for all applications 


Level of effort 


fl - small effort (if applying basic MFA) 
Il - Medium effort (if using hard keys) 


Team(s) involved 


e The team responsible for your identity provider 
(typically security or IT) 


e The admins who manage internal apps used by employees and 
partners 


Identity providers: Microsoft Azure AD, Okta, Ping Identity PingOne, 
OneLogin 


Application Reverse Proxies: Microsoft Azure AD App Proxy, Akamai 


Product(s) EAA, Cloudflare Access, Netskope Private Access, Zscaler Private 
Access (ZPA) 
Hard Keys: Yubico 
Multi-Factor Authentication (MFA) is the best protection against 
stolen user credentials via phishing or data leaks. Most MFA can be 
enabled directly in an IdP. 

Summary 
For applications not directly integrated with your IdP consider using 
an Application Reverse Proxy in front of the application to enforce 
MFA. 
1. Alert internal users to upcoming MFA enforcement. Provide 
options to sign up for SMS or App-based authenticators 
2. Enable MFA in your IdP 
3. Enable Application Reverse Proxy in front of applications not 
Steps integrated with your IdP 


4. (Bonus) Distribute Hardware keys to employees via Mail or In 
Person distribution 

5. (Bonus) Enforce Hardware key only MFA for your most sensitive 
applications 
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O Endpoints & Devices 


Endpoints and Devices include any device, API or software service within an organization or that 
have access to organizational data. Organizations must first understand their full set of devices, 
APIs and services. Then Zero Trust policies can be implemented based on the context of the 
device, API and service. 


Implement mobile device management 


Level of effort Il - Medium effort 


Team(s) involved e IT Team 


Product(s) Mac: Jamf, Kandji Windows: Microsoft Intune 


Majority of Zero Trust architecture requires software to be installed 
on at least a subset of user machines. Mobile Device Management 
(MDM) is how most organizations manage the software and 
configuration across their inventory of user devices. 


Summary 


Steps See MDM Vendor site for specific details. 


Implement endpoint protection 


Level of effort Il - Medium effort 


e Security team 


T i Ived 
eam(s) involve © IT Team 


VMWare Carbon Black, Crowdstrike, SentinelOne, 


prea Windows Defender 


Endpoint protection software is installed on a user’s machine and 
scans for known threats that affect devices. Endpoint protection 
Summary software can also be used to enforce compliance of OS patches and 
updates. The signal from your Endpoint Protection software can and 
should be used in your Application access control policies. 


1. Install the Endpoint Protection Software on users’ machines 
using MDM 

2. Enable threat protection and compliance control in the Endpoint 
Protection platform 


Steps 
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Inventory devices, APIs and services 


Level of effort 


fl - Small effort 


Team(s) involved 


e Security team 
e IT Team 


Product(s) 


Device Inventory: VMWare Carbon Black, Crowdstrike, SentinelOne, 
Windows Defender, Oomnitza 


API/Service inventory: Cloudflare application connector, Zscaler 
Private Access (ZPA) 


Summary 


Endpoint protection software and asset management software can 
be used to track all devices that have been distributed to users. An 
accurate list of devices should be maintained to track which devices 
are valid and should have access to specific applications. 


APIs and services should also be detected and maintained in an 
inventory. Network scanning can be leveraged to identify newly 
seen APIs and software services that can communicate over an 
internal or external network. 


Steps 


1. Install the Endpoint Protection Software on users’ machines 
using MDM 
2. Install the API/Service scanner within your network 
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® Internet Traffic 


Internet Traffic includes all user traffic destined for websites outside of an organization’s control. 
This can range from business related tasks to personal website usage. All outbound traffic is 
susceptible to malware and malicious sites. An organization must establish visibility and control 
over user traffic destined for the Internet. 


Block DNS requests to known threats or risky destinations 


Level of effort fl - Small effort 


e |T team with access to either router or machine configuration 


Team(s) involved : 
(s) e Security team 


DNS Filtering: Cisco Umbrella DNS, Cloudflare Gateway, DNSFilter, 


eee Zscaler Shift 


DNS filtering can be applied via router configuration or directly on 
Summary a user machine. It is one of the fastest ways to protect users from 
known malicious websites. 


DNS Filtering: Update DNS resolution configuration on your office 
Steps wifi to point to the appropriate DNS resolution service. This can be 
used to block known malicious sites. 


Block or isolate threats behind SSL/TLS 


Level of effort Il - Medium effort 


e |T team with access to either router or machine configuration 


Team(s) involved ; 
e Security team 


TLS Decryption: Cloudflare Gateway, Netskope Next Gen SWG, 


Zscaler Internet Access (ZIA) 
Product(s) 


Browser Isolation: Cloudflare Browser Isolation, Zscaler Cloud 
Browser Isolation 
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Block or isolate threats behind SSL/TLS (continued) 


Some threats are hidden behind SSL and cannot be blocked through 


Summary only HTTPS inspection. To further protect users, TLS decryption 
should be leveraged to further protect users from threats behind SSL. 
TLS decryption: 
1. Ensure the correct client software is installed on a user machine 
a. Check for any VPN or other software that might 
interfere with the outbound web traffic on the device 
2. Configure the root certificate on the device for TLS decryption 
3. Enable policies of when to avoid decrypting user traffic 
Steps a. This should be done for sites that use certificate pinning 


b. Some companies also bypass decryption for user’s 
personal traffic (e.g banking, social media, etc) 


Browser Isolation: 


1. Browser isolation can be deployed via the on-device client 
software or via an isolation link. Both approaches should be 
considered. 
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Networks 


Networks include all public, private and virtual networks within an organization. Organizations 
must first understand their existing set of networks and segment them to prevent lateral 
movement. Then, Zero Trust policies can be created that granularly control which segments of a 
network that users, endpoint and devices can access. 


Segment user network access 


Level of effort 


NHN - Large effort 


Team(s) involved 


e Security team 
e IT Team 


Product(s) 


Zero Trust Network Access (ZTNA): Cloudflare Zero Trust (Access 


and Gateway used together), Netskope Private Access, Zscaler 
Private Access (ZPA) 


Summary 


Steps 


Users can generally access an entire private network using a VPN 
or while in the office network. A Zero Trust framework requires 
that users only have access to specific segments of the network 
required to complete a given task. Zero Trust Network solutions 
allow users to access a local network remotely but, with granular 
policies based on user, device and other factors. 


1. Make the private network available to the ZTNA 

a. Typically an application connector, GRE or IPSec Tunnel 
2. Install the ZTNA client on user devices using MDM 
3. Set policies to segment user access across the private network 


Use broadband Internet for branch to branch connectivity 


Level of effort 


ONE - Large effort 


Team(s) involved 


e Network engineering team 
e IT Team 


Product(s) 


Cloudflare Magic WAN, Cato Networks, Aryaka FlexCore 
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Use broadband Internet for branch to branch connectivity (continued) 


Connectivity between private network locations (eg. data centers 
and branches) has generally been established using Multi-Protocol 
Label Switching (MPLS) lines or other forms of private links offered 
Summary by telecom providers. These MPLS links are typically expensive, and 
as commodity Internet has become higher quality, organizations can 
provide the same level of secure access by routing traffic over the 
Internet via secure tunnels at a fraction of the cost. 


1. Choose two MPLS-connected locations to start with. These 
locations will need some form of Internet connectivity. 

2. Establish a pair of redundant Anycast GRE or IPsec tunnels over 
your Internet circuits to your cloud WAN provider's edge network. 

3. Verify health and connectivity between those tunnels. Test 

Steps performance (throughput, latency, packet loss, jitter) of traffic 
workloads as similar as possible to production traffic. 

4. Change routing policies to migrate production traffic from MPLS 
to Internet tunnels 

5. Repeat at next MPLS-connected location 

6. Decommission MPLS circuits 


Close all inbound ports open to the Internet for application delivery 


Level of effort I - Small effort 


Team(s) involved e Network engineering team 


Zero Trust Reverse Proxies: Akamai EAA, Cloudflare Access, 


Product(s) Netskope, Zscaler Private Access (ZPA) 


Open inbound network ports can be found using scanning 
technology and are a common attack vector. Zero Trust Reverse 
Proxies allow you to securely expose a web application without 
opening any inbound ports. The DNS record of the application is the 
only publicly visible record of the application. And the DNS record 

is protected with Zero Trust policies. As an added layer of security, 
internal/private DNS can be leveraged using a Zero Trust Network 
Access service (more details below). 


Summary 


1. Install Reverse Proxy application connector — typically a daemon 
or virtual machine somewhere in the same network 

Steps 2. Connect the Reverse Proxy Application to the application 
connector 

3. Close all inbound port on the private network with a firewall rule 
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Applications 


Applications include any resource where organizational data exists or business processes are 
performed. Organizations must first understand the applications that exist and then establish 
Zero Trust policies for each application or, in some cases, block unapproved applications. 


Monitor email applications and filter out phishing attempts 


Level of effort 


I - Small effort 


Team(s) involved 


Product(s) 


e The team responsible for your email provider configuration 
(typically IT) 


Cloud Email Security: Cloudflare Area 1 Email Security, Mimecast, 
TitanHQ 


Browser Isolation: Cloudflare Browser Isolation, Zscaler Cloud 
Browser Isolation 


Summary 


Email is one of the few communications channels that attackers 
have unfettered access to your employees. Deploying a secure 
email gateway is a critical step to ensure that malicious or untrusted 
emails do not reach your employees. Additionally, security teams 
should consider an option to quarantine links in an isolated browser 
that are not suspicious enough to completely block. 


Steps 


1. Configure your domain’s MX records to point to the secure email 
gateway service 

2. Monitor for false positives in the first few weeks 

3. (Bonus) implement a link based browser isolation approach for 
borderline suspicious email links. 


Inventory all corporate applications 


Level of effort 


Il - Medium effort 


Team(s) involved 


e Security Team 


Product(s) 


Secure Web Gateway and CASBs with Shadow IT discovery: 


Cloudflare Gateway, Microsoft Defender for Cloud Apps, Netskope 
Next Gen SWG, Zscaler Internet Access (ZIA) 
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Inventory all corporate applications (continued) 


Summary 


Steps 


It is critical for a security team to understand their full inventory of 
applications used across the business. Often referred to as “Shadow 
IT” security teams will often discover unsanctioned or unknown 
applications being used across the business. A Secure Web 
Gateway with TLS decryption can be used to identify applications. 
The Secure Web Gateway can also be used to block unapproved 
applications or tenants of applications (e.g. personal Dropbox 
accounts). 


Enable Shadow IT scanning in the Secure Web Gateway 

Ensure the Secure Web Gateway client is installed on user devices 
Allow 2-3 weeks of traffic from users 

Review the list of identified applications 

Any unapproved applications should be blocked with Secure Web 
Gateway policies 

6. Approved applications should be protected with Zero Trust policies 


gw N > 


Zero Trust policy enforcement for applications 


Level of effort 


I - Small effort (for most critical applications) 
IH - Large effort (for all applications) 


Team(s) involved 


e Security team 
e Application development team 
e IT team 


Product(s) 


Zero Trust Reverse Proxies: Azure App Proxy, Cloudflare Access, 
Netskope Private Access, Zscaler Private Access (ZPA) 


Zero Trust Network Access (ZTNA): Cloudflare Access, Netskope 
Private Access, Zscaler Internet Access (ZIA) 


CASB: Cloudflare CASB, Netskope CASB, Zscaler CASB 


Remote Browser Isolation: Cloudflare Browser Isolation, Zscaler 
Cloud Browser Isolation 
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Zero Trust policy enforcement for applications (continued) 


Applications must be protected with Zero Trust policies that 
consider a user identity, device and network context before 
authenticating and authorizing access. Applications should 

have granular policies that enforce least privilege, especially for 
applications that contain sensitive data. There are three major 
application types and the Zero Trust security model varies for each 
type. The major application types are: 


Summary 

1. Private self-hosted applications (addressable only on the 
corporate network) 

2. Public self-hosted applications (addressable over the Internet) 

3. SaaS applications 

Note: If device context or compliance status is a required security 

policy then typically on-device client software is required. 

Private Self-Hosted Applications 

1. Build an encrypted tunnel between the application and 
Zero Trust policy layer. Typically this will be an “application 
connector”, GRE or IPSec tunnel 

2. Make the private DNS resolver available for users of the ZTNA 
device client 

3. Build policies based on user, device and network context to 
establish who can access the application 

Public Self-Hosted Applications 

1. Move the authoritative DNS or a CNAME record to the 
Application Reverse Proxy 

2. Ensure all inbound ports for closed for the application’s network 

3. Build policies based on user, device and network context to 
establish who can access the application 

Steps 


SaaS Applications 
There are a few different options to enforce Zero Trust policies for 
SaaS applications 


Identity Proxy 

Cloudflare, Netskope, and Zscaler provide Identity Proxies that 
allow the same policy enforcement as a reverse proxy self hosted 
application. This does require that the Identity Proxy is set up as the 
SSO provider of the SaaS application 


1. Remove the existing SSO integration to the SaaS app, if present 

2. Integrate the Identity proxy with the SaaS application 

3. Ensure the correct SAML attributes are sent for user creation 
and updates 

4. Create policies based on the user, device and network context 
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Zero Trust policy enforcement for applications (continued) 


Steps 


Secure Web Gateway and Single Sign On 

The other approach is to use an existing Single Sign On provider to 
control which users can and cannot access the SaaS application. 
Then the Secure Web Gateway, with a dedicated IP address, can be 
used to ensure that only users from managed devices with traffic 
inspection can access the SaaS application. 


1. Add the SaaS application to the SSO provider 

2. Create policies to enforce which users are authorized 

3. Add the IP address of the Secure Web Gateway instance to the 
SaaS application's IP Allow List (most SaaS apps support IP 
allowlists in their base security settings) 

4. Create Secure Web Gateway policies that control which users can 
access the SaaS application 


Protect applications from Layer 7 attacks (DDoS, injection, bots, etc) 


Level of effort 


Team(s) involved 


fl - Small effort 


e Security team 
e Application development team 


Product(s) 


Summary 


Any self-hosted application is susceptible to Layer 7 attacks 
including DDoS, Code Injection, Bots and more. Security teams 
should deploy a Web Application Firewall and DDoS protection 
in front of all self-hosted applications, privately and publicly 
addressable. 


Steps 


1. Add any public application’s authoritative DNS record 
2. Enable the Web Application Firewall and DDoS protection 
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Enforce HTTPS and DNSsec 


Level of effort 


Team(s) involved 


fi - Small effort 


e Security team 
e Application development team 


Product(s) Akamai, AWS, Azure, Cloudflare, GCP 
Any self-hosted web application should leverage HTTPS and 
Summary DNSSec. This prevents any potential for packet sniffing or domain 
hijacking. 
Steps 1. Add any public application’s authoritative DNS record 


2. Set HTTPS to strict and enable DNSSEC 
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[© Data Loss Prevention & Logging 


Once you have established all the Zero Trust elements of your architecture to this point, your 
architecture will be generating large volumes of data on what’s happening inside your network. 
At this point, it’s time to implement Data Loss Prevention and Logging. These are a set of 
processes and tools that focus on keeping sensitive data inside of a business and flagging 

any potential opportunities for data leakage. Organizations must first understand where their 
sensitive data exists. Then they can establish Zero Trust controls to block sensitive data being 
accessed and exfiltrated. 


Establish a process to log and review traffic on sensitive applications 


Level of effort Il - Medium effort 


Team(s) involved e Security team 


Secure Web Gateway (SWG): Cisco Umbrella, Cloudflare Gateway, 
Netskope Next Gen SWG, Zscaler Internet Access (ZIA) 


Security Incident and Event Monitoring (SIEM): 
DataDog, Splunk, SolarWinds 


Product(s) 


Secure web gateway solutions have functionality to pass user 
traffic logs to a SIEM tool. A security team should make it a regular 
Summary exercise to review traffic logs destined for sensitive applications. 
Specific alerts for anomalous or malicious traffic can be set up and 
tuned over time in the SIEM. 


1. Ensure all user traffic destined to sensitive applications is 
proxied using the SWG 

2. Enable the log push or pull functionality between your SWG and 
SIEM 

3. Seta specific interval for the security team to review traffic logs 

4. Configure alerts in the SIEM based on findings over time 


Steps 


Define what data is sensitive and where it exists 


Level of effort Il - Medium effort 


e Security team 


Team(s) involved ; 
(s) e Compliance/Legal team 


Security Incident and Event Monitoring (SIEM): 


Product(s) | pataDog, Splunk, SolarWinds 
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Define what data is sensitive and where it exists (continued) 


Sensitive data varies widely depending on industry. Technology 
companies are concerned about protecting source code while 
medical providers are heavily focused on HIPAA compliance. It is 
important to establish what sensitive data is for your company and 


Summary ae 
where it lives. 
An accurate definition and inventory of sensitive data will inform the 
implementation of Data Loss Prevention tools. 
1. Review traffic logs in the SIEM tools or directly in a Secure Web 
Steps Gateway to identify target applications and data stores 


2. Take an inventory of existing sensitive data 


Prevent sensitive data from leaving your applications 


Level of effort 


ONE - Large effort 


Team(s) involved 


e Security team 
e IT Team 
e Compliance/Legal team 


Product(s) 


In-line Data Loss Prevention (DLP): Cisco Umbrella, Cloudflare 
Gateway, Netskope Next Gen SWG, Zscaler Internet Access (ZIA) 


Summary 


Steps 


In-line DLP solutions inspect user traffic and file uploads/downloads 
for sensitive data. The sensitive data is available in well known 
predefined lists (e.g. PII, SSNs, Credit Cards, etc) or specific 
patterns can be manually configured by an administrator. DLP 
controls should be enabled for sensitive applications and can be 
expanded for all user traffic. 


1. Install the client software from the DLP provider 

2. Ensure there is no existing VPN or other tool that will 
disrupt connectivity 

3. Ensure TLS decryption is enabled and a root certificate is 
present on each user machine 

4. Enable DLP controls 

5. Monitor for DLP block events and verify if it is valid or 
a false positive 


Cloudflare | A Roadmap to Zero Trust Architecture 


Identify misconfigurations and publicly shared data in SaaS tools 


Level of effort 


i - Small effort 


Team(s) involved 


e Security team 


Product(s) 


API based Cloud Access Security Broker (CASB): Cloudflare CASB, 
DoControl, Netskope, Zscaler CSPM 


Summary 


CASBs integrate with major SaaS applications via an API integration. 
The CASB will then scan the SaaS application for Known security 
misconfiguration and data that has been publicly shared. A security 
team should establish a regular cadence to review CASB findings. 


Steps 


1. Connect each SaaS application via the provider’s API 
integration instructions 

2. Run scans for each SaaS application 

3. Review the scan results and begin remediation in each 
SaaS application where appropriate 


Establish a Security Operations Center (SOC) for log review, policy updates and mitigation 


Level of effort 


El - Medium effort 


Team(s) involved 


e Security team 


Product(s) None 
A SOC is a critical function within a security team in a Zero Trust 
Sinar framework. It should focus on reviewing log information and security 
y alerts and adjusting Zero Trust policies across all core security 
products. 
1. Review logs in SIEM or directly in security product 
Steps 2. Identify any alerts or anomalous activity 


3. Update Zero Trust policies across each tool based on findings 
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Stay up to date on known threat actors 


Level of effort fi - Small effort 


Team(s) involved e Security team 


Product(s) Threat intelligence providers: Cloudflare Radar, CISA, OWASP 


There are multiple providers focused on compiling a list of known 
threat actors and malicious websites. These threat feeds can be 


Summary automatically loaded into a Secure Web Gateway to protect users 
from attacks. 
1. Connect threat feed into Secure Web Gateway 
Steps 


2. Enable threat protection in DNS and HTTP filtering 
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© Steady State 


Once you have built out your Zero Trust architecture for all the other elements of your 
organization, there are a set of actions you can take to move your organization to a Zero Trust 
steady state, ensuring consistency with the architecture moving forward. 


Employ a DevOps approach to ensure consistent policy enforcement for all new resources 


Level of effort 


Team(s) involved 


HME - Large effort 


e Security team 
e Application development team 


Product(s) Infrastructure automation: Ansible, Puppet, Terraform 
Infrastructure automation tools allow developers to automatically 
Sna deploy Zero Trust security as part of their application development 
y pipeline. Establish internal testing that will trigger if an application is 
deployed with Zero Trust Reverse Proxy protection. 
1. Define a standard policy for new applications 
Steps 2. Add tests in the application deployment process that require 


Zero Trust Reverse Proxy protection 


Implement auto-scaling for on-ramp resources 


Level of effort 


IE - Large effort 


Team(s) involved 


e Security team 
e Application development team 


Product(s) 


Load balancers: Akamai, Cloudflare 


Infrastructure automation: Ansible, Puppet, Terraform 
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Implement auto-scaling for on-ramp resources (continued) 


Load balancers can be effective tools to ensure individual 
application infrastructure is never overloaded. As well as providing a 
level of redundancy if one application server began to fail. 


Summary 
Infrastructure automation tools can be used to spin up new 
resources if specific traffic thresholds are crossed. 
1. Configure a load balancer in front of Zero Trust Reverse Proxy 
Application connector 
2. Enable load balancing rules based on traffic volumes and/or 
Steps geo-location of users. 


3. Implement infrastructure automation policies that will provision 
new virtual machines if sufficient load is generated for a specific 
set of applications 


23 


Cloudflare | A Roadmap to Zero Trust Architecture 


24 


Example Implementation Timeline 


Every Zero Trust Architecture deployment is unique but there are a common set of steps that 
most projects follow. This is a recommended timeline for a business getting started on a Zero 


Trust Architecture implementation. 


Timeline Goal 


Relevant Products 


Phase 1 Deploy global DNS filtering 


Monitor inbound emails and filter out 
phishing attempts 


Identify misconfig and publicly shared 
data in SaaS tools 


Cisco Umbrella DNS, Cloudflare Gateway, DNSFilter, 
Zscaler Shift 


Cloud Email Security: Cloudflare Area 1 Email Security, 
Mimecast, TitanHQ 


Browser Isolation: Cloudflare Browser Isolation, Zscaler 
Cloud Browser Isolation 


Cloudflare CASB, DoControl, Netskope, Zscaler CSPM 


Phase 2 Establish corporate identity 


Enforce basic MFA for all applications 


Enforce HTTPS and DNSsec 


Block or isolate threats behind SSL 


ZT policy enforcement for publicly 
addressable apps 


Close all inbound ports open to the 
Internet for app delivery 


Protect applications from layer 7 attacks 


Microsoft Azure AD, Okta, Ping Identity PingOne, 
OneLogin 


Identity providers: Microsoft Azure AD, Okta, Ping Identity 
PingOne, OneLogin 


Application Reverse Proxies: Microsoft Azure AD App 
Proxy, Akamai EAA, Cloudflare Access, Netskope Private 
Access, Zscaler Private Access (ZPA) 


TLS Decryption: Cloudflare Gateway, Netskope Next Gen 
SWG, Zscaler Internet Access (ZIA) 


Browser Isolation: Cloudflare Browser Isolation, Zscaler 
Cloud Browser Isolation 


Zero Trust Reverse Proxies: Azure App Proxy, Cloudflare 
Access, Netskope Private Access, Zscaler Private Access 
(ZPA) 


Akamai EAA, Cloudflare Access, Netskope, Zscaler Private 
Access (ZPA) 


Phase 3 


Inventory all corporate applications 


ZT policy enforcement for SaaS 
applications 


Secure Web Gateway and CASBs with 

Shadow IT discovery: Cloudflare Gateway, Microsoft 
Defender for Cloud Apps, Netskope Next Gen SWG, 
Zscaler Internet Access (ZIA) 


Zero Trust Network Access (ZTNA): Cloudflare Access, 
Netskope Private Access, Zscaler Internet Access (ZIA) 


CASB: Cloudflare CASB, Netskope CASB, Zscaler CASB 
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Phase 4 
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Segment user network access 


ZTNA for critical privately 
addressable applications 


Implement MDM/UEM to control 
corporate devices 


Define what data is sensitive and 
where it exists 


Send out hardware based authentication 
tokens 


Stay up to date on known threat actors 


Zero Trust Network Access (ZTNA): Cloudflare Zero Trust 


(Access and Gateway used together), Netskope Private 
Access, Zscaler Private Access (ZPA) 


Cloudflare Access, Netskope Private Access, Zscaler 
Internet Access (ZIA) 


Mac: Jamf, Kandji Windows: Microsoft Intune 


DataDog, Splunk, SolarWinds 


Hard Keys: Yubico 


Cloudflare Radar, CISA, OWASP 


Enforce hardware token based MFA 


ZT policy enforcement and network 
access for all applications 


Establish a SOC for log review, policy 
updates and mitigation 


Implement endpoint protection 


Inventory all corporate devices, APIs 
and services 


Use broadband Internet for branch to 
branch connectivity 


Establish a process to log and review 
employee activity on sensitive 
applications 


Stop sensitive data from leaving your 
applications (e.g. PII, Credit Cards, 
SSNs, etc) 


Employ a DevOps approach to ensure 
policy enforcement for all new resources 


Implement auto-scaling for on-ramp 
resources 


Hard Keys: Yubico 


Cloudflare Access, Netskope Private Access, Zscaler 
Internet Access (ZIA) 


N/A 


VMWare Carbon Black, Crowdstrike, SentinelOne, 
Windows Defender 


Device Inventory: VMWare Carbon Black, Crowadstrike, 
SentinelOne, Windows Defender, Oomnitza 


API/Service inventory: Cloudflare application connector, 
Zscaler Private Access (ZPA) 


Cloudflare Magic WAN, Cato Networks, Aryaka FlexCore 


Secure Web Gateway (SWG): Cisco Umbrella, Cloudflare 
Gateway, Netskope Next Gen SWG, Zscaler Internet 
Access (ZIA) 


Security Incident and Event Monitoring (SIEM): 
DataDog, Splunk, SolarWinds 


Cisco Umbrella, Cloudflare Gateway, Netskope Next Gen 
SWG, Zscaler Internet Access (ZIA) 


Ansible, Puppet, Terraform 


Load balancers: Akamai, Cloudflare 


Infrastructure automation: Ansible, Puppet, Terraform 
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